The risks of serious business disruption are steadily increasing due to the greater complexity of modern business and the burgeoning range of potential threats. Nearly one in five businesses suffer from a major disruption ever year, 80% of whom end up closing within 18 months. Among the firms that suffer a loss of data, 90% stop trading within two years.
Planning for recovery from a major incident or disruption is increasingly recognised as an essential component of an organisation’s risk management strategy. Firms are accustomed to planning for other areas of risk, so planning for business continuity should be no different.
Business continuity planning (BCP) allows management to anticipate risks and develop contingency plans to ensure that the business continues to operate, whatever the disruption. The steps towards creating an effective business continuity plan are:
- Examine the threats and vulnerabilities facing the business and develop scenarios of how the threats might materialise.
- Develop action plans to help you respond to the identified scenarios.
- Link action plans to resources, people, facilities and infrastructure.
- Develop supporting procedures and establish your crisis management team, ensuring that each team member knows what they have to do.
Preparing for new risks
Every significant change in the business environment presents new risks and, hopefully, raises the profile of the need for good and efficient BCP. These range from fluctuations in the oil price, the recession, loss of clients, or dependency on key new skills.
For many the focus is on resilience to prevent the disaster occurring, which is a very effective way to reduce the likelihood of a risk materialising. However, no matter how good your resilience measures are, life has a way of intervening and devising a set of circumstances that ensure the disaster will still happen.
The current trend towards cloud computing for many organisations reinforces the need for the business to have robust and tested business continuity plans, as many of the factors which could result in a major disruption are then out of your control.
Swine flu and the IT department
The focus last year on swine flu has certainly helped to capture businesses attention and is the latest driver of many BCP improvement programmes. As was seen with the swine flu outbreak it starts with the containment stage; this escalates to full pandemic status at some stage in the near future and, as a consequence, members of staff, including key IT specialists, are likely to:
- Come into contact with people being tested for the virus
- Come into contact with confirmed cases
- Be tested themselves for the virus
- Become confirmed cases of flu themselves
All of the above options are likely to have a major impact on any firm’s ability to deliver services to clients, especially if it starts to occur in significant numbers. We have no way of predicting who will be affected or when, including ourselves.
The multiplier effect of losing key IT staff should not be underestimated; they may be the ones who are making home or remote working available for the rest of the staff, thus minimising the impact on the business. Lose the IT staff and you also lose some of the mitigation, exposing the business to greater risk. If the IT team (or possibly your cloud computing provider) loses a key manager or specialist for two weeks, who can fill in for them and which projects do you cancel or postpone?
Recovery from the effects
The potential downside of a major business interruption in terms of loss of revenue, dissatisfied clients and damaged confidence is considerable, and could even be fatal. Business continuity planning helps to significantly reduce the duration of business interruption caused by a crisis because it reduces the time taken to work out how to recover from it.
It’s not just IT departments and sectors that need to be concerned about business continuity planning, it’s a business wide issue and the first step is to create an effective company-wide plan. Start by drawing up a map of how your business works, what the key business areas are and what things each area needs to function correctly. Don’t overlook non-IT issues such as buildings, desks, documentation and staff.
Look at the measures already in place to cope with problems, if any, and whether they are enough. Try to understand the cost of an area not being able to do its job within a certain amount of time as this information will drive everything else. These are questions that only the individual business can pose and answer. Now is always the time to start that process.